[tbb-bugs] #26557 [Applications/Tor Browser]: Regression in keyboard fingerprinting
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jun 28 17:46:23 UTC 2018
#26557: Regression in keyboard fingerprinting
------------------------------------------+----------------------
Reporter: pege | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Keywords: ff60-esr
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+----------------------
I just compared fingerprinting protection between 8.0a8 and 8.0a9. There
appears to be a regression when it comes to key combination with AtlGraph.
My system:
OS: Whonix 14 (Debian stretch) on Qubes OS 4.0
Keyboard layout: Neo (https://neo-layout.org/index_en.html)
For testing I used
https://arthuredelstein.github.io/tordemos/keyboard.html.
There are several keys that have regressed:
== Numbers
When typing the number 0 using the key pad on layer 4 ('<' + space) I
observe this differences:
8.0a8: code: Digit0, modifierState: empty
8.0a9: code: Space, modifierState: AltGraph
Similarly, other numbers, when typing using the number pad on layer 4,
show the actual key that was pressed (KeyM, KeyJ, KeyU, …) instead of
DigitX.
== Navigation Keys
Arrow up:
8.0a8: code: ArrowUp, modifierState: empty
8.0a9: code: ArrowUp, modifierState: AltGraph
The modifier leaks with many of the keys on layer 4. Including, all arrow
keys, escape, home, end, delete, back and comma. Interestingly, period and
colon don't leak the modifier.
I also noticed that colon is recognized as semicolon (on all layers) but
that's also the case in older Tor Browser version.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26557>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list